<!DOCTYPE html>
<html>

  <head>
    <meta charset='utf-8' />
    <meta http-equiv="X-UA-Compatible" content="chrome=1" />
    <meta name="description" content="CAS - Single Sign-On for the Web" />
    
    
    <link rel="stylesheet" type="text/css" media="screen"
          href="../../stylesheets/v40x-stylesheet.css">
    <link rel="stylesheet" type="text/css" media="print"
          href="../../stylesheets/print.css">
    <title>CAS - JAAS Authentication</title>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
    <script src="../../javascripts/URI.js"></script>
    <script src="../../javascripts/v40x-main.js"></script>
  </head>

  <body>
    <!-- HEADER -->
    <div id="header_wrap" class="outer">
        <header class="inner">
          <a id="forkme_banner" href="https://github.com/Jasig/cas">View on GitHub</a>
          <div id="project_title">
            <a class="undecorated" href="../../index.html">
              <img class="undecorated" src="../../images/cas_logo.png"/>
            </a>
          </div>
          <h2 id="project_tagline">Single Sign-On for the Web</h2>
        </header>
    </div>

    <!-- NAVBAR -->    
    <div id="navbar_wrap" class="outer">
      <header id="navbar_content" class="inner">
        <div class="navlink">
  <a href="../../index.html">Home</a>
</div>
<div class="navlink">
  <a href="https://github.com/Jasig/cas/releases">Downloads</a>
</div>
<div class="navlink">
  <a href="https://www.google.com/cse/publicurl?cx=017040929083740828958:sqr2hwvrxmg">Search</a>
</div>
<div class="navlink">
  <a href="../../Support.html">Support</a>
</div>
<div class="navlink">
  <a href="../../Mailing-Lists.html">Mailing Lists</a>
</div>
<div class="navlink">
  <a href="../../Older-Versions.html">Older Versions</a>
</div>

        </header>
    </div>

      <!-- SIDEBAR -->
      <div id="sidebar_wrap" class="outer">
        <header id="sidebar_content" class="inner">
          <span id="sidebartoc"></span>
        </header >
      </div>
      
      <!-- PAGE TABLE OF CONTENTS -->
      <div id="table_contents" class="outer">
        <header id="sidebar_content" class="inner">
          <span id="tableOfContents"></span>
        </header>
      </div>
      
      <!-- MAIN CONTENT -->
      <div id="main_content_wrap" class="outer">
        <section id="main_content" class="inner">
          <h1 id="jaas-authentication">JAAS Authentication</h1>
<p><a href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS</a> is a Java standard
authentication and authorization API. JAAS is configured via externalized plain text configuration file.
Using JAAS with CAS allows modification of the authentication process without having to rebuild and redeploy CAS
and allows for PAM-style multi-module “stacked” authentication.</p>

<h2 id="jaas-components">JAAS Components</h2>
<p>JAAS components are provided in the CAS core module and require no additional dependencies to use.</p>

<h6 id="jaasauthenticationhandler"><code>JaasAuthenticationHandler</code></h6>
<p>The JAAS handler delegates to the built-in JAAS subsystem to perform authentication according to the
directives in the JAAS config file. The handler only exposes a single configuration property:</p>

<ul>
  <li><code>realm</code> - JAAS realm name. (Defaults to <em>CAS</em>.)</li>
</ul>

<p>The following configuration excerpt demonstrates how to configure the JAAS handler in <code>deployerConfigContext.xml</code>:</p>

<div class="highlight"><pre><code class="xml"><span class="nt">&lt;bean</span> <span class="na">class=</span><span class="s">&quot;org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler&quot;</span>
      <span class="na">p:realm=</span><span class="s">&quot;CustomCasRealm&quot;</span> <span class="nt">/&gt;</span>
</code></pre></div>

<h2 id="jaas-configuration-file">JAAS Configuration File</h2>
<p>The default JAAS configuration file is located at <code>$JRE_HOME/lib/security/java.security</code>. It’s important to note
that JAAS configuration applies to the entire JVM. The path to the JAAS configuration file in effect may be altered
by setting the <code>java.security.auth.login.config</code> system property to an alternate file path.
A sample JAAS configuration file is provided for reference.</p>

<pre><code>/**
  * Login Configuration for JAAS. First try Kerberos, then LDAP, then AD
  * Note that a valid krb5.conf must be supplied to the JVM for Kerberos auth
  * -Djava.security.krb5.conf=/etc/krb5.conf
  */
CAS {
  com.ibm.security.auth.module.Krb5LoginModule sufficient
    debug=FALSE;
    edu.uconn.netid.jaas.LDAPLoginModule sufficient
    java.naming.provider.url="ldap://ldap.my.org:389/dc=my,dc=org"
    java.naming.security.principal="uid=cas,dc=my,dc=org"
    java.naming.security.credentials="password"
    Attribute="uid"
    startTLS="true";
  edu.uconn.netid.jaas.LDAPLoginModule sufficient
    java.naming.provider.url="ldaps://ad.my.org:636/dc=ad,dc=my,dc=org"
    java.naming.security.principal="cas@ad.my.org"
    java.naming.security.credentials="password"
    Attribute="sAMAccountName";
};
</code></pre>

        </section>
      </div>

    <!-- FOOTER  -->
    <div id="footer_wrap" class="outer">
      <footer class="inner">
        <p>CAS is supported by the <a href="http://www.apereo.org/">Apereo Foundation</a>.</p>
      </footer>
    </div>
  </body>
</html>
